Hackers use malicious MSI files that download and execute malicious files that could bypass traditional security solutions. The dropped malware is capable of initiating a system shutdown or targeting financial systems located in certain locations.
Security researchers from TrendMicro discovered JScript/VBScript codes in several malicious *.msi files distributed through spam emails.
The malicious JS code embedded with *.msi downloads the text and other files from the Amazonaws server, the malware contains the filenames such as Jesus or dump and the text file named as desktop.txt, desktop, and desktop.ini.
The infection starts with the spam mail that contains a malicious attachment which downloads from one of the malicious URLs.
According to TrendMicro analysis report the payload targets only Brazil and Portugal users and extract banking and financial information, or even keystrokes.
The campaign leverages the custom action in MSI to execute installations and to bypass traditional security solutions. The MSI files are disguised as Adobe Acrobat Reader DC and takes users to the Portuguese website.
“We were able to add to or modify custom actions of the samples, such as executing JS, VBS, and PowerShell scripts, and even loading libraries, with Advanced Installer. This could be favorable to malicious actors looking to abuse the functions so that they can easily modify normal MSI packages and insert malicious scripts.”
TrendMicro believes that malware authors are testing different methods on targets located in Brazil and Portugal. The list IoCs can be found here.